Time Based Evasion

Information

• Name: Time Based Evasion

• ID: T1497.003

• Tactics: TA0005, TA0007

• Technique: T1497

Introduction

Time Based Evasion (T1497.003) is a sub-technique within the MITRE ATT&CK framework under the broader category of Virtualization/Sandbox Evasion (T1497). Attackers leverage this technique to evade detection and analysis by introducing delays or specific timing conditions into their malicious payloads or operations. The primary goal is to avoid execution in sandbox environments or automated analysis systems that typically have strict execution time constraints, thus allowing threats to remain undetected and persist in targeted environments.

Deep Dive Into Technique

Attackers using Time Based Evasion typically implement timing delays or conditional time checks within their malicious code. These methods help the malware evade automated and sandbox-based analysis systems, which often run samples for only a limited duration. Common technical implementations include:

• Execution Delays:

  • Malware may intentionally pause execution for extended periods using functions such as sleep(), WaitForSingleObject(), or similar system calls.

  • Delays may range from seconds to hours or even days, exceeding typical sandbox analysis timeframes.

• System Uptime Checks:

  • Malware checks system uptime to determine if it is running within a recently initialized sandbox environment.

  • If uptime is below a certain threshold (e.g., a few minutes), the malware refrains from executing malicious payloads.

• Time-based Conditional Execution:

  • Payloads execute only at certain dates, times, or intervals, ensuring they evade short-term sandbox analysis.

  • Attackers may use system date/time checks (GetSystemTime(), time()) to trigger execution during non-working hours or holidays, reducing the likelihood of detection by security teams.

• Resource Usage Monitoring:

  • Malware may monitor CPU or memory usage, delaying execution until resource utilization indicates a realistic user environment rather than a sandbox.

Attackers often combine these timing-based evasion techniques with other sandbox evasion methods to maximize effectiveness.

When this Technique is Usually Used

Time Based Evasion is typically employed by attackers at various stages of cyber-attacks, including:

• Initial Access and Delivery:

  • Malware delivered via phishing emails or drive-by downloads incorporates timing delays to evade email gateways or sandbox analysis during initial infection stages.

• Execution and Persistence:

  • Malicious scripts or payloads incorporate delayed execution to bypass endpoint detection and response (EDR) tools or sandbox environments that execute files immediately upon download or arrival.

• Command and Control (C2) Communications:

  • Attackers schedule C2 communications to occur after certain intervals, avoiding detection by network monitoring systems that analyze short-term traffic patterns.

• Targeted Attacks and Advanced Persistent Threats (APTs):

  • Sophisticated threat actors frequently use timing evasion techniques to remain undetected for extended periods, maintaining persistence within victim networks.

How this Technique is Usually Detected

Detecting Time Based Evasion can be challenging, but multiple methods and tools can assist in identifying suspicious activity:

• Extended Sandbox Analysis:

  • Increasing sandbox runtime durations beyond typical analysis periods (e.g., hours or days) can reveal delayed execution behavior.

• Behavioral Analysis and Monitoring:

  • Endpoint Detection and Response (EDR) solutions monitor suspicious API calls such as Sleep() or unusual delays in execution patterns.

  • Behavioral analytics tools identify anomalies in execution times or system uptime checks.

• Static and Dynamic Analysis:

  • Static code analysis tools can detect suspicious timing functions embedded in binaries or scripts.

  • Dynamic analysis tools capable of manipulating system time or uptime parameters can trigger malware execution and expose malicious behavior.

• Indicators of Compromise (IoCs):

  • Presence of suspicious API calls related to timing (Sleep(), WaitForSingleObject(), GetTickCount(), NtDelayExecution()).

  • Unusual file execution timestamps or scheduled tasks with abnormal delays.

  • Sudden execution of dormant processes after extended idle periods.

Why it is Important to Detect This Technique

Early detection of Time Based Evasion is crucial due to the potential severe impacts on systems and networks:

• Prolonged Undetected Presence:

  • Malware employing timing evasion can remain dormant and undetected for extended periods, increasing the risk of data exfiltration, lateral movement, and long-term persistence.

• Enhanced Attack Success Rate:

  • Time-based evasion allows attackers to bypass automated security defenses, significantly increasing the likelihood of successful compromise and exploitation.

• Increased Damage and Cost:

  • Delayed detection typically leads to increased remediation costs, greater data loss, and prolonged business disruption.

• Difficult Incident Response:

  • Malware that employs timing evasion complicates forensic analysis and incident response efforts, making it harder for security teams to reconstruct attack timelines accurately.

Examples

Real-world examples of Time Based Evasion techniques include:

• Dridex Banking Trojan:

  • Dridex variants have been observed employing delays ranging from minutes to hours before executing their malicious payloads, effectively evading sandbox detection and automated malware analysis systems.

• Ursnif Malware:

  • Ursnif has incorporated system uptime checks, refusing to execute payloads if the system has been running for less than a specific threshold, indicating a sandbox environment.

• Emotet Malware:

  • Emotet has utilized sleep calls and time-based conditional execution, delaying payload activation to bypass sandbox environments and automated email gateway analysis.

• APT29 (Cozy Bear):

  • This sophisticated threat group has been known to schedule malicious tasks and payloads to execute after lengthy delays, thus avoiding detection by endpoint security products and sandbox environments.

Attackers frequently leverage common tools and APIs for implementing timing evasion, including:

• Windows API: Sleep(), GetTickCount(), WaitForSingleObject(), NtDelayExecution()

• Linux/Unix commands: sleep, at, cron

• Scripting languages: Python (time.sleep()), PowerShell (Start-Sleep)

The impacts of these real-world examples have included successful infection, data theft, financial losses, and significant disruption to affected organizations.